CVE-2026-14890
Received Received - Intake

Unauthenticated Remote Code Execution in SGLang via Malicious Pickle File

Vulnerability report for CVE-2026-14890, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CERT/CC

Description

SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sgl_project sglang *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SGLang has a feature called expert-parallel backup that uses a ZeroMQ PULL socket on a network interface without authentication or input validation. An attacker can send a malicious pickle file to this socket, which executes arbitrary code remotely when the feature is enabled and the service is accessible over the network.

Detection Guidance

Check for open ZeroMQ PULL sockets on routable network interfaces using tools like netstat or ss. Look for processes running expert_backup_manager.py or related SGLang services. Monitor network traffic for unauthenticated connections to ports associated with ZeroMQ communication.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on systems running SGLang with the vulnerable expert-parallel backup feature enabled. This could lead to full system compromise, data theft, or disruption of services.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating GDPR's data protection requirements and HIPAA's security rules for protected health information. Organizations may face fines, legal penalties, and reputational damage if exploited.

Mitigation Strategies

Disable the expert-parallel backup subsystem if not in use. Restrict network access to ZeroMQ ports using firewalls. Ensure all ZeroMQ sockets require authentication and validate deserialization inputs. Update SGLang to the latest patched version if available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart